Severity: important
Affected versions:
- Cordova Plugin InAppBrowser (cordova-plugin-inappbrowser) 3.1.0 through 6.0.0
Description:
## Summary
The iOS implementation of `cordova-plugin-inappbrowser` passes the `id` field
from a `WKScriptMessage` body to `commandDelegate sendPluginResult:callbackId:`
with no format validation (`CDVWKInAppBrowser.m:560–574`). Any web content
loaded inside the InAppBrowser can fire any pending Cordova callback in the
host app by posting a message whose `id` field is a guessable or enumerated
callback identifier. An attack abusing this weakness must be tailored to the
specific plugins and callback IDs the host app uses. Though an attacker with
knowledge of common Cordova plugin configurations could craft reusable payloads
targeting widely-adopted plugins.
## Impact
An unauthenticated remote attacker who controls content displayed in the
InAppBrowser — via a URL the app opens (OAuth redirect, marketing link,
deep-link target) or a network interception — can call
`window.webkit.messageHandlers.cordova_iab.postMessage({id:
'<victim-callback-id>', d: '...'})` to fire callbacks belonging to any other
installed Cordova plugin (Camera, Contacts, File, Geolocation). Cordova
callback IDs follow the predictable format `<PluginName><sequential-integer>`,
making enumeration feasible. Successful exploitation allows the attacker to
spoof plugin results across trust boundaries — for example, injecting a forged
camera approval, a fabricated contacts list, or a crafted file-read response.
This issue affects Cordova Plugin InAppBrowser: from 3.1.0 through 6.0.0.
Users are recommended to upgrade to version 6.0.1, which fixes the issue.
This issue is being tracked as #1152
Credit:
Niklas Merz (finder)
References:
https://cordova.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-47430
https://issues.apache.org/jira/browse/#1152
